Hashcash.io Reveals Strategy for Capitalizing on Spammers

Hashcash.io recently released a WordPress plugin with a unique method of deterring spammers that forces the user’s browser to solve math before unlocking login, registration and comment forms. The project site hints at a coming soon cash feature wherein users can “Make Bots Work For You.”

This week Hashcash.io creator Pavel Karoukin elaborated on plans to help users make some cash while stopping spammers. The cash feature will combine Dogecoin (an open source cryptocurrency), hashcash.org and the proof-of-work concept.

My idea was to bring what hashcash.org offered for email spam to web applications, i.e. make it slightly expensive for a browser to submit an actual form by calculating proof of work. Except I wanted this proof of work to do something meaningful.

Karoukin first explored the idea of mining bitcoins with browsers but shortly thereafter GPUs took over the task and in-browser mining was no longer an option. “Later a new altcoin was introduced – Litecoin based on scrypt algorithm, which was harder to parallelize on the GPU,” he said. “That’s where I started looking into implementing miner into client-side Javascript.”

Karoukin used emscripten to compile the scrypt version of cpuminer into asm.js code, wrapped it in Web Workers and some API, and Hashcash.io was born. After using it on a few of his websites, he found that “100% of spam and bot-registered accounts were eliminated.”

His concept of making bots work for you is an entirely new take on the problem of combating spam. It’s less about detecting spammers and more akin to the concept of throttling. “The idea is not to differentiate between bots or humans, but rather make posts cost money and time (i.e. wait until it is done.),” Karoukin commented on our recent article. “Think about it as a throttling rather than if () {} else {} thingy.”

The Problem With CAPTCHAs

CAPTCHAs have long been the impenetrable standard for sites that are serious about keeping spammers out, and are still used on many major sites such as Google and Yahoo. Unfortunately, internet users almost universally despise CAPTCHAs, especially reCAPTCHA. Karoukin notes that Google actually uses you to service its own business objectives by manipulating reCAPTCHAs to make you decode street numbers, digitize content for Google Books and the Google News archives.

The Hashcash.io project turns this on its head and aims to saddle the burden of work onto the spammer, instead of actual human users. Karoukin hopes that website owners will one day be able to profit from the spammers that visit their websites:

So the grand vision of this project is to eventually make it possible for a website admin to get paid for each proof-of-work solved on his site. So even if spammers eventually start solving these, at least website admin will get paid. But for this to happen the pool needs to acquire a critical mass of websites using it to successfully generate shares in a reasonable amount of time. Right now this is not possible. And this is another reason there is nothing behind login form – there are no revenue as of now to share with website admins.

The project is still in the very early stages of development and Karoukin is currently working to create painless integration with Drupal, WordPress, Django, and jQuery. Once the project generates a single dogecoin at address DMGQ5Ah5D7FSBL2uKiugwHQneGdugnvZfP, Karoukin will start working on the next phase to include a dashboard and revenue sharing.

Hashcash.io’s unique strategy of tackling comment spam may have a promising future if it is able to reach the critical mass required to make it profitable for website owners. Otherwise, it’s just another unjustifiable inconvenience on login, registration and comment forms.

Karoukin needs more sites using it in order to get there, as well as feedback from developers. Find out more about the WordPress plugin in our recent review where Karoukin expounds on the finer points of the technology in the comments. Do you think the idea of making some cash while stopping spammers is a viable concept?


13 responses to “Hashcash.io Reveals Strategy for Capitalizing on Spammers”

  1. I tested this plugin and is mostly dead in mobile era. When you try to unblock a form from a smartphone you will need ages to solve the math (more than one minute into my Android dual core smartphone). In short, this plugin stop spammers and good comments aswell.

    • This is indeed valid problem today and depending on the site might be a reason to not use plugin. But before you decide, make sure to run statistics on which browsers/devices are used by people posting actual comments. Very likely majority of mobile users are just browsing (of course it is not universal, it might be quite opposite)

  2. I have a few ideas on how to implement this type of functionality myself, but I need to find the time to implement them :/

    My idea, is that if the computer can’t do the calculation in time, then it just gives up and defaults to a CAPTCHA instead. This allows users on even seriously junky hardware to bypass the block, albeit at the expense of needing to answer a CAPTCHA.

    I don’t think this sort of thing should be used as a first line of defense though. There are less problematic ways to block the majority of spam than this. I’d use this sort of technique on top of a bunch of other methods as a last line of defense before resorting to forcing a CAPTCHA on everyone.

    • Someone else working on similar functionality for Drupal (i.e. hashcash when browser is capable, and captcha – when it is not.) But I am concerned that this will undermine security. There are ways to automate captcha solving, but there is no way around solving hashcash… so if you do it – make sure to keep captcha fallback optional and not turned on by default.

      • You can automate the solving of a hashcash puzzle too :P Solving CAPTCHA’s requires processing power too, just like with the hashcash approach.

        • But you can’t change complexity of the captcha with simple number adjustment. (at least with reCaptcha). There were some plugins which allowed to change level of distortion, but there is limit too.

          With hashcash you have flexibility – if you get tons of spam non stop – you increase value of complexity. So for example if spammer posts 1000 messages, and with complexity of 0.01 it takes on good machine and browser average 5 seconds, it takes him 5000 seconds to post it.

          Now you increase it to 0.02 and now it twice as long while regular user have to wait 10 seconds instead of 5. (and i am working on idea where calculation will be happening in background, so user really will not be waiting anything in most cases)

          • You can increase the complexity of a CAPTCHA, but you are correct that there is a limit to how far that can go. Eventually it will just tick the user off. The same applies to the hashcash route though as the user will eventually get sick of the length of time required for the calculation. I’m not sure what would take longer, solving a CAPTCHA or cracking a hashcash.

            If you have any data on that sort of thing, I’d love to hear about it :) At the moment I’m just guessing that they’d be comparable.

            I do intend to cater for your concern though, as I’m intending to have various levels of protection which will automatically ramp up as more spam arrives. If the user reports too much spam, I’ll crank the protection level up a notch. Eventually there would be both a CAPTCHA as well as other various protections to stop whatever hyper aggressive spammer might be attacking your site. I am still a wee way of getting that implemented though.

  3. What an innovative and possibly game changing approach, once the problems are ironed out. Bravo!

  4. yesterday i brainstormed some ideas on how to make it even less painful for users (including mobile users.) Concept will stay the same, but UX will be different. Should solve mobile users pains as well.

    I am going to work on new version this weekend. Stay tuned :)

  5. I’ve used it on a site of mine, and it has decreased the amount of emails I get from Limit Login Attempts to zero. So – for me – it’s a success and a thumbs up.

    Curious to hear about the rev-sharing though :)

    • If you try it, I’d love to hear if it makes you a single cent. I haven’t crunched the numbers on it, but my gut says that there won’t be enough processing power provided via commenters to make any real money from it. Hopefully I’m wrong though. This would be a handy way to bankroll my blog :)

  6. This sounds awesome! :D One thing that came to my mind with this thread was that if it would be possible to insert this on the pages that generally do not need to be publicly acceccable. Stuff like /plugins and such what bots try to access a lot of times. If this could be done for those sites it would certainly be a game changer :)

    • If the page should not be publicly accessible, then just making it non-publicly accessible seems like a better option than trying to block bots from accessing it.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: